Privacy

U.S. Companies Beware: Don’t Trip Over These 3 Areas Of The GDPR

When fines for noncompliance can reach up to 4 percent of global annual turnover or $20M euros (whichever is greater), there are significant reasons to take heed of GDPR compliance.

By  
on

(Photo via Getty Images)

By now, you have probably heard about the General Data Protection Regulation, or “GDPR,” that becomes effective this month — a comprehensive (and complicated) update to the EU data privacy laws designed to “make Europe fit for the digital age” according to the European Commission. To that extent, the GDPR does not disappoint — it sets forth a framework for data protection across EU member states that is designed to ensure that EU citizens can maintain some level of control over their “personal data.”  That said, many U.S. companies are woefully unprepared (or underprepared) for GDPR compliance, and we have our own handling of personal data privacy to blame for it.

To understand this problem, a little background is helpful. The GDPR takes the place of the old EU Data Privacy Directive (“EUDPD”) from 1995. The EUDPD was created to address the disparate handling of personal data between EU member states and foster the free flow of information within the EU as a result.  Although he EUDPD set forth a specific framework for the handling of personal information in the EU, the internet was still in its infancy when the EUDPD was implemented — as the internet expanded and its scope grew, the EUDPD became outdated.  Recognizing this problem, the EU passed the GDPR in 2016, giving an effective date of May 25, 2018, for compliance.

So why all the talk about U.S. company compliance? The problem stems from differences between the U.S. and EU regarding the handling of personal information. In the U.S., the handling of “personally identifiable information” has centered on companies themselves — the focus has essentially been on how companies inform individuals about their collection, use and sharing of such personal information while providing individuals the ability to “opt-out” of such uses in certain areas.  Under the GDPR, however, the focus is on the individual, requiring (among other things) individual consent to the use of “personal data” — a definition that is broader than just personally identifiable information, covering data such as email addresses and even IP addresses for personal mobile devices.  In essence, the GDPR provides for individuals to maintain control over their personal data and “license” its use to those companies collecting and using it.

Unfortunately, this fundamental difference is only the tip of the iceberg when it comes to the GDPR, but you can see where this is going.  Application of the GDPR is simply not limited to EU companies — under Article 3 of the GDPR, if U.S. companies are targeting the collection of “personal data” from EU citizens in the EU, the requirements of the GDPR absolutely apply.  So what is a company to do?  Needless to say, a multitude of professionals have been struggling with this very issue.  Although the application of the GDPR to a business is something that requires a case-by-case analysis, here are three areas worth noting that can really trip up a business if you are not careful:

Consent. Where companies have an online presence and are targeting the collection of “personal data” from EU citizens, there is no question that consent from the targeted individuals will be required.  Such consent, however, must be “freely given, specific, informed, and unambiguous” under Article 4 of the GPDR.  This means that merely having a privacy policy that explains what is collected, how it is used, etc. is not enough. Suffice it to say, any consent will need to be explicit, informed, demonstrable and not otherwise an acknowledgement of existing terms or policies.

“Personal Data Breach.”  For any “personal data” collected from EU citizens in the EU, the U.S. company must also protect it GDPR-style.  In most cases, U.S. companies already complying with existing data security guidelines are in good shape, but not necessarily out of the woods.  Under Article 33, the GDPR requires that “data controllers” provide 72-hour notice of a “personal data breach” to the appropriate “supervisory authority,” but this notice is not required if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”  This notice period is far shorter than what most U.S. companies may be used to, and where notice is required, requires more information than most incident response plans for U.S. companies may be prepared to provide under such circumstances.  Without question, U.S. companies should revisit such incident response plans for GDPR compliance, and consider incorporating notification procedures for the handling of such “personal data.”

Sponsored

The “Right to Be Forgotten.”  Unlike in the U.S., EU data subjects have the right to demand the erasure of their personal data “without undue delay” under certain circumstances (such as where the data controller no longer requires the information, or where the data subject was a child at the time of collection) under Article 17 of the GDPR.  That said, there are a number of exceptions listed as well (such as where there is a legal requirement to maintain the personal data for a specific period of time, or “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”).  Not only must U.S. companies implement a mechanism for erasure, but must also implement policies and procedures to determine when erasure is required for proper compliance with such Article 17 requirements.

As a practicing attorney that has been dealing with domestic and international data privacy for over 20 years, I can confidently state that the GDPR is comprehensive, but complicated.  Worse, it is untested.  When fines for non-compliance can reach up to 4 percent of global annual turnover or $20M euros (whichever is greater), there are significant reasons to take heed of GDPR compliance.  Addressing the aforementioned areas are steps in the right direction, but remember that properly assessing GDPR risk and achieving compliance will require far more.  So take a good look at the path towards GDPR compliance for your U.S. business — getting tripped up is far easier than you may think.  If you have yet to address it (or think it simply doesn’t apply), you are already falling down and don’t even know it.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

Topics

, , ,